Monday, June 25, 2007

[UNIX] VLC Format String Vulnerability And Integer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

VLC Format String Vulnerability And Integer Overflow
------------------------------------------------------------------------


SUMMARY

VLC is vulnerable to a format string attack in the parsing of Vorbis
comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP service
discovery messages. Additionally, there are two errors in the handling of
wav files, one a denial of service due to an uninitialized variable, and
one integer overflow in sampling frequency calculations.

DETAILS

Vulnerable Systems:
* VLC version 0.8.6b

Immune Systems:
* VLC version 0.8.6c

The input_vaControl function in input.c calls vasprintf() with an
externally-supplied format string, as specified in the value of a Vorbis
comment. This can lead to arbitrary code execution.

An excessively large sample rate causes an integer overflow, resulting in
a SEGV in __status_Update in stats.c.

An uninitialized i_nb_resamplers in input.c can cause a crash during audio
stream processing.

Impact:
If successful, a malicious third party could use this vulnerability to
execute arbitrary code within the context of VLC media player (i.e.
acquire local user privileges on the vulnerable system), or crash the
player instance.

Fix Information:
These issues are fixed version 0.8.6c.

Workarounds:
If support for Audio CDs and ogg files are not used, one can remove the
affected plugins manually from the VLC plugin "access" directory. Relevant
filenames are as follow:

Microsoft Windows
codec/libvorbis_plugin.dll, codec/libtheora_plugin.dll and
access/libcdda_plugin.dll

Apple MacOS X
codec/libvorbis_plugin.dylib, codec/libtheora_plugin.dylib and
access/libcdda_plugin.dylib

Other (Linux, BSD...)
codec/libvorbis_plugin.so, codec/libtheora_plugin.so and
access/libcdda_plugin.so (typically found in /usr/lib or /usr/local/lib).

Otherwise, files coming from untrusted source should not be opened, and
CDDB must be disabled.

The SAP service discovery plugin must not enabled (it is disabled by
default).

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3316>
CVE-2007-3316


ADDITIONAL INFORMATION

The information has been provided by <mailto:david@isecpartners.com>
David Thiel.
The original article can be found at:
<http://www.isecpartners.com/advisories/2007-001-vlc.txt>

http://www.isecpartners.com/advisories/2007-001-vlc.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment